1 / 14

Announcements: Questions? This week: Digital signatures, DSA Secret sharing

Learn about digital signatures in DSA and RSA, how they are generated and verified, and the security considerations for each algorithm.

ddeal
Download Presentation

Announcements: Questions? This week: Digital signatures, DSA Secret sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DTTF/NB479: Dszquphsbqiz Day 30 • Announcements: • Questions? • This week: • Digital signatures, DSA • Secret sharing

  2. Sig = f(user, message) RSA Signatures allow you to recover the message from the signature; ElGamal signatures don’t ElGamal • Alice chooses: • p,primitive root a, secret a, and b ≡ aa(mod p) • Publishes (p, a, b), keeps a secret • Alice’s signature: • Chooses k: random, gcd(k, p-1)=1 • Sends m, (r,s), where: • r ≡ ak (mod p) • s ≡ k-1(m – ar) (mod p-1) • Bob’s verification: • Does brrs ≡ am (mod p)? RSA • Alice chooses: • p,q, n=pq, • e: gcd(n, (p-1)(q-1))=1, • d: ed ≡ 1(mod ((p-1)(q-1)) • Publishes n, e • Alice’s signature: • y ≡ md(mod n). Delivers (m, y) • Bob’s verification: • Does m ≡ ye (mod n)?

  3. It’s quicker to sign a short digest than to sign a long message • Note that we need to choose n > m in RSA, p > m in ElGamal • Problem: m could be long! • But h(m) is short! • So Alice sends (m, sig(h(m))) • Eve intercepts this, wants to sign m’ with Alice’s signature, so needs sig(h(m’)) = sig(h(m)), and thus h(m)=h(m’) • Why can’t she do this?

  4. Birthday attacks can be successful on signatures that are too short • Slightly different paradigm: two rooms with r people each. What’s the probability that someone in this room has the same birthday as someone in the other room. • Approximation: • We divide by N, not 2N. • But setting the probability = 0.5 and solving for r, we get r=c*sqrt(n) again (where c=sqrt(ln 2)~.83) • Consider a 50-bit hash. Only need O(2^25) documents • These are relatively easy to generate, actually.

  5. Birthday attacks on signatures that are too short • Mallory generates 2 groups of documents: • She takes a match (m1, m2) between them such that h(m1) = h(m2) • Mallory sends (m1, h(m1)) to Alice, who returns signed copy: (m1, sig(h(m1)). • Mallory replaces m1 with m2 and uses sig(h(m1) as the signature. • The pair (m2, sig(h(m1)) looks like Alice’s valid signature! • Alice’s defense? What can she do to defend herself? r “fraudulent docs” r “good docs”

  6. Alice’s defense • She changes a random bit herself! • Note this changes her signature: (m1’, sig(h(m1’)) • Mallory is forced to generate another message with the same hash as this new document. • Good luck! • Lessons: • Birthday attacks essentially halve the number of bits of security. • So SHA-1 is still secure against them • Make a minor change to the document you sign!

  7. Code-talkers? http://xkcd.com/c257.html Seriously, the Navajo code talkers created effective codes used in WWII: http://en.wikipedia.org/wiki/Code_talker As far as I can tell, Navajo doesn’t have a word for zero. Do-neh-lini means neutral.

  8. DSA: Digital Signature Algorithm • 1994 • Similar to ElGamal • signature with appendix • But verification is faster • And it’s guaranteed to be more secure • Assume m is already hashed using SHA: so we are signing a 160-bit message, m.

  9. 1-3 DSA: Digital Signature Algorithm • Alice’s Setup: • m: 160-bit message • q: 160-bit prime • p: 512-bit prime, such that q is a factor of (p-1) • g: a primitive root of p. • a≡g(p-1)/q (mod p) • Then aq≡ 1 (mod p). (Why?) • b≡aa. Secret a, 0 < a < q-1 • Publishes: (p,q,a,b) • Sig = (r,s) • random k, 0 < k < q-1 • r ≡ak (mod q) • s = k-1(m + ar) (mod q) • Verify: • Compute u1 ≡ s-1m (mod q), u2 ≡ s-1r (mod q) • Does (au1bu2 (mod p))(mod q) = r? q=17 p=103 g=2 a=?

  10. 4 DSA: Digital Signature Algorithm • Advantages over ElGamal? • In ElGamal, if you could solve r = ak (mod p) by Pollig-Hellman, you’d have k. • In DSA, (p-1) has a large factor, q. • If you could solve the non-q factors, there would still be q possibilities for k. • How many ints (mod p) give a specific int (mod q)? • Alice’s Setup: • m: 160-bit message • q: 160-bit prime • p: 512-bit prime, such that q is a factor of (p-1) • g: a primitive root of p. • a≡g(p-1)/q (mod p) • Then aq≡ 1 (mod p). (Why?) • b≡aa. Secret a, 0 < a < q-1 • Publishes: (p,q,a,b) • Sig = (r,s) • random k, 0 < k < q-1 • r ≡ak (mod q) • s = k-1(m + ar) (mod q) • Verify: • Compute u1 ≡ s-1m (mod q), u2 ≡ s-1r (mod q) • Does (au1bu2 (mod p))(mod q) = r? q=17 p=103 g=2 a=64

  11. DSA: Digital Signature Algorithm • How hard is it to search for a 512-bit prime p = kq + 1 for some even number k? • How do we search for primes? • 1/115 of odd 100-digit numbers are prime. • What fraction of odd 512-bit integers are prime? • Recall our discussion of the density of primes • Alice’s Setup: • m: 160-bit message • q: 160-bit prime • p: 512-bit prime, such that q is a factor of (p-1) • g: a primitive root of p. • a≡g(p-1)/q (mod p) • Then aq≡ 1 (mod p). (Why?) • b≡aa. Secret a, 0 < a < q-1 • Publishes: (p,q,a,b) • Sig = (r,s) • random k, 0 < k < q-1 • r ≡ak (mod q) • s = k-1(m + ar) (mod q) • Verify: • Compute u1 ≡ s-1m (mod q), u2 ≡ s-1r (mod q) • Does (au1bu2 (mod p))(mod q) = r? q=17 p=103 g=2 a=64

  12. (Day 21) Using within a primality testing scheme n • Finding large probable primes • #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Odd? no div by other small primes? no Pass M-R? yes Prime by Factoring/advanced techn.? yes prime

  13. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq= 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? Show that order of ops matters: (ak(mod p))(mod q) ≠ (ak (mod q))(mod p) Easier: find (a(mod p))(mod q) ≠ (a(mod q))(mod p) 5 DSA: Digital Signature Algorithm

  14. Latest versions • Recommended: • SHA-224/256/384/512 as the hash function • q of size 224 and 256 bits • p of size 2048 and 3072. • http://csrc.nist.gov/publications/drafts/fips_186-3/Draft_FIPS-186-3%20_November2008.pdf

More Related